[Snort-users] Reliability of signatures

Martin Holste mcholste at ...11827...
Fri Feb 4 09:50:48 EST 2011

> The snort signatures have a priority associated with them, either in the
> rule itself, or in the classification. Is there anywhere that the
> reliability (ie. the chance of it not reporting a false positive) of the
> signature is recorded?

No.  There has been a lot of discussion regarding whether or not
something like that would be helpful.  I think the short answer is
that environments and preferences vary too widely to be able to
effectively communicate a signature's fidelity.  I would also argue
for those same reasons priority should not be suggested either and it
should be deprecated.

I ignore both priority and classification for signatures as they are
terribly broken right now.  For instance, the signature "CHAT MSN
messenger http link transmission attempt" is classified as Trojan
activity.  Sure, links in an MSN message can point to malware, but I
hardly think that every MSN message with a link in it should be
classified as "Trojan activity."  This is not good intel.

An effort is underway to redo the classification system, which is very
welcome.  However, I believe the new classification system will be
almost as unhelpful because though more specific, it only allows for a
signature to be placed in one category.  I favor a tagging system in
which a signature can have many tags applied to it for a comprehensive
representation of the signature author's intent.

More information about the Snort-users mailing list